|
Lines 208-213
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Link Here
|
| 208 |
u_char *dnskey_digest; |
208 |
u_char *dnskey_digest; |
| 209 |
u_int dnskey_digest_len; |
209 |
u_int dnskey_digest_len; |
| 210 |
|
210 |
|
|
|
211 |
u_int found_cnt[256]; |
| 212 |
u_int match_cnt[256]; |
| 213 |
memset(&found_cnt, 0, sizeof(found_cnt)); |
| 214 |
memset(&match_cnt, 0, sizeof(match_cnt)); |
| 215 |
|
| 211 |
*flags = 0; |
216 |
*flags = 0; |
| 212 |
|
217 |
|
| 213 |
debug3("verify_host_key_dns"); |
218 |
debug3("verify_host_key_dns"); |
|
Lines 273-285
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Link Here
|
| 273 |
} |
278 |
} |
| 274 |
} |
279 |
} |
| 275 |
|
280 |
|
|
|
281 |
if (hostkey_algorithm == dnskey_algorithm) |
| 282 |
found_cnt[dnskey_digest_type]++; |
| 283 |
|
| 276 |
/* Check if the current key is the same as the given key */ |
284 |
/* Check if the current key is the same as the given key */ |
| 277 |
if (hostkey_algorithm == dnskey_algorithm && |
285 |
if (hostkey_algorithm == dnskey_algorithm && |
| 278 |
hostkey_digest_type == dnskey_digest_type) { |
286 |
hostkey_digest_type == dnskey_digest_type) { |
| 279 |
if (hostkey_digest_len == dnskey_digest_len && |
287 |
if (hostkey_digest_len == dnskey_digest_len && |
| 280 |
timingsafe_bcmp(hostkey_digest, dnskey_digest, |
288 |
timingsafe_bcmp(hostkey_digest, dnskey_digest, |
| 281 |
hostkey_digest_len) == 0) |
289 |
hostkey_digest_len) == 0) |
| 282 |
*flags |= DNS_VERIFY_MATCH; |
290 |
match_cnt[dnskey_digest_type]++; |
| 283 |
} |
291 |
} |
| 284 |
xfree(dnskey_digest); |
292 |
xfree(dnskey_digest); |
| 285 |
} |
293 |
} |
|
Lines 287-298
verify_host_key_dns(const char *hostname, struct sockaddr *address,
Link Here
|
| 287 |
xfree(hostkey_digest); /* from key_fingerprint_raw() */ |
295 |
xfree(hostkey_digest); /* from key_fingerprint_raw() */ |
| 288 |
freerrset(fingerprints); |
296 |
freerrset(fingerprints); |
| 289 |
|
297 |
|
| 290 |
if (*flags & DNS_VERIFY_FOUND) |
298 |
if (*flags & DNS_VERIFY_FOUND) { |
| 291 |
if (*flags & DNS_VERIFY_MATCH) |
299 |
debug("found %d SHA1 fingerprints and %d SHA256 fingerprints", |
| 292 |
debug("matching host key fingerprint found in DNS"); |
300 |
found_cnt[SSHFP_HASH_SHA1], found_cnt[SSHFP_HASH_SHA256]); |
|
|
301 |
debug("matched %d SHA1 fingerprints and %d SHA256 fingerprints", |
| 302 |
match_cnt[SSHFP_HASH_SHA1], match_cnt[SSHFP_HASH_SHA256]); |
| 303 |
if (found_cnt[SSHFP_HASH_SHA256] > 0) |
| 304 |
if (match_cnt[SSHFP_HASH_SHA256] > 0) { |
| 305 |
debug("matching SHA256 host key fingerprint found in DNS"); |
| 306 |
*flags |= DNS_VERIFY_MATCH; |
| 307 |
} else |
| 308 |
debug("no matching SHA256 host key fingerprint found in DNS"); |
| 293 |
else |
309 |
else |
| 294 |
debug("mismatching host key fingerprint found in DNS"); |
310 |
if (match_cnt[SSHFP_HASH_SHA1] > 0 && hostkey_algorithm < SSHFP_KEY_ECDSA ) { |
| 295 |
else |
311 |
debug("matching SHA1 host key fingerprint found in DNS"); |
|
|
312 |
*flags |= DNS_VERIFY_MATCH; |
| 313 |
} else |
| 314 |
debug("no matching SHA1 host key fingerprint found in DNS"); |
| 315 |
} else |
| 296 |
debug("no host key fingerprint found in DNS"); |
316 |
debug("no host key fingerprint found in DNS"); |
| 297 |
|
317 |
|
| 298 |
return 0; |
318 |
return 0; |
| 299 |
- |
|
|